Why SaaS Security Is No Longer an Option

Reco CEO and Cofounder Ofer Klein sat down with Chief Digital Evangelist of eViRa Health, Evan Kirstel as part of his podcast What's Up in Tech? to discuss the cybersecurity landscape, the explosion in adoption of SaaS applications, and why SaaS security is no longer an option. In this blog post, we provide a few takeaways.

‍

Explosion in the Adoption of SaaS Applications

A lot has changed even in just the past three years in the world of SaaS. Just 3-5 years ago, businesses were using just a handful of SaaS applications in their day-to-day functions such as Microsoft 365, Salesforce, etc. Now, though, businesses on average are using 300 SaaS applications daily, finding they provide immense business value to stay competitive. 

‍

Unfortunately, securing these SaaS applications has not scaled as quickly as their adoption rates. As businesses add more and more applications (Reco’s current record is an organization using 11,000 SaaS applications!), they are faced with challenges such as understanding who is using which application, who is in the environment, are all of the applications configured correctly, and if it’s still in compliance with regulators. 

‍

The manual approach of monitoring all these business-critical applications simply can’t scale. And what that means is that SaaS security/SSPM is no longer a “nice to have,” but has become a business critical need as much as the SaaS apps themselves. 

‍

‍

The Goldilocks Approach to SaaS Security

New tools and technologies mean new opportunities for businesses to grow faster but they also bring new threat vectors. Security teams are always tasked with making decisions on how to balance keeping the environment safe with keeping the business moving as quickly as possible. 

‍

On the one extreme we have the option of shutting down the internet for all employees, which would help many CISOs sleep better but isn’t practical from a business perspective for, well, obvious reasons. On the other end of the spectrum, you could just take the laissez-faire approach of letting loose with no security monitoring at all, which might make the employees happier but would also mean an end to the business due to cybersecurity breaches. 

‍

Instead of adopting either of those two options,, Ofer suggested we take more of a “Goldilocks” approach to these new SaaS technologies and securing them. We have to first understand what you have, and then quickly decide what is the right way to use them as well as the wrong way, while still maintaining their benefits to the company. The only way to do this at scale is by leveraging one of the very technologies that is heavily debated in the security world: AI. 

‍

The only way to truly understand, harness, and secure an environment connected to hundreds of SaaS applications – and keep it secure – at scale is by leveraging solutions with AI built securely into them. At a small company this can be done manually. “Joe left the company, we need to make sure his account isn’t connected to X, Y, and Z applications, and Mary joining means she needs permissions.” However, as companies grow and start to use more and more applications with more intricate permissions and users, this sort of manual checking and posture management becomes unmanageable quickly. A solution like Reco that can see who any user/identity is, see all the apps they’re connected to, see all the data pieces, their configurations, and their permissions is only possible to scale when powered by AI. These AI analyses and dashboards allow companies to quickly manage their environments while also harnessing the benefits from the most powerful SaaS applications.

‍

Where To Start With SaaS Security (aka, the “Oh *&#@ Meeting”)

The first step in SaaS security is first to understand the landscape you’re tasked with securing. Ofer calls this meeting the “Oh *&#@ Meeting” because most companies have no idea just how many SaaS applications are connected, let alone their user permissions and possible threat vectors. It’s easy to get overwhelmed at this stage because you don’t even know where to start on what seems like a monumental task. 

‍

The way to think about this, however, is by understanding the biggest/quickest wins with the biggest impacts, and also that you won’t be able to fix every single security issue in the first minute. When customers implement Reco, part of that first implementation is offering a step-by-step, triaged approach to shoring up their SaaS security and posture management. 

‍

After gaining a full understanding of the environment, Reco has a recommended, step-by-step approach that focuses on short timeframes, big wins, with as little effort as possible. The order of operations usually goes:

1. Core applications: the applications that hold your most important data where the users and permissions must be the most secure
2. Compliance issues: what will ensure your various regulating bodies will not issue fines at your next official audit? Reco’s continuous compliance SSPM model ensures this can not only be tamed, but maintained. 
3. App governance and app discovery: which apps are talking to other apps? What permissions are they requiring? Where are the threat vectors associated with that? 
4. Risky/unused apps: are any apps in the environment that don’t need to be? Do any have excessive permissions? 

‍

This triaging exercise focuses on the biggest wins for the least amount of manpower hours and is included out of the box, but Reco can also manage this with white glove service. 

‍

Securing Your SaaS Applications

Most companies know that investing in security  needs to be a priority in order to operate their businesses, but vetting new companies and startups can be difficult, especially when companies are starting to scale and deciding where their dollars are going to be spent. Usually this pain starts for companies as they reach the midsize company level of a few hundred employees or more. By this point, companies need to have processes and security measures in place already, or they have truly risked exposure or, worse, a full breach. 

‍

When trying to decide on different application offerings – not just security offerings – organizations should also consider what types of permissions and access these applications are requesting. For example, Reco’s offering never requires access to actual company data, only read-only access to metadata that the AI models can then analyze and make recommendations based on this and users’ identities and activities. 

‍

Other questions to ask when vetting applications or security tools are the time and effort it will take not just to implement, but maintain. In Reco’s case it typically takes approximately 35 minutes to implement (the company record is still standing around 45 seconds!), and runs without any babysitting by employees. These questions early on will pay dividends later. 

‍

Continuous Compliance Is the Only Compliance 

With new SEC regulations and more compliance requirements following suit, many are questioning if these are wastes of effort or time. The questions such as, “How can we detect something material and report on it within 4 days, when we only audit every 3-6 months?” are asked because, with how most security tools and technologies are set up, the answers are along the lines of, “You can’t.” 

‍

The only way forward, Ofer says, is through adopting a model of continuous compliance. If we think of our digital environment as a house, and the ways in as our doors and windows, the audits check every so often if the doors are shut and locked, and the windows are closed. However, continuous compliance gives us an idea of when a door or window has been unlocked or open, and sends actionable alerts based on just how dangerous that change in configuration is. Instead of checking our doors and windows every 3-6 months, we should have an alerting tool to let us know these posture shifts have occurred. This is the core of Reco’s SSPM, and one of the most important steps in SaaS security any company can take. 

‍

These are just a few of the takeaways from Ofer’s chat with Evan. We recommend watching the entire video for even deeper insights into SaaS security, the threat landscape, and how companies can easily protect themselves from these complex and growing threats.